I actually did a bunch of work for this at a previous job. it was
supposed to be opensource'd, but then I switched jobs and the new
internal-maintainer never got around to opening it up :(
My short answer is that audit is probably the wrong tool for this,
especially for machines pushing a large am
On Fri, May 29, 2015 at 9:28 AM, Richard Guy Briggs wrote:
> On 15/05/29, Peter Moody wrote:
>> Did this [1] land? I'm guessing no because the next pull request from
>> Eric Paris didn't include it and I don't see it referenced in any of
>> Paul's pull re
Did this [1] land? I'm guessing no because the next pull request from
Eric Paris didn't include it and I don't see it referenced in any of
Paul's pull requests. Finally (most tellingly), I don't see anything
in Linus' tree.
Cheers,
peter
[1] https://www.redhat.com/archives/linux-audit/2014-Octobe
On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> Hi folks,
>
>
>
> I have auditing for outbound connect requests working using the Connect
> (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>
> The rule I'm using is:
>
> -a exit,always -F arch=b64 -S connect -k network_outbound
On Wed, Apr 30 2014 at 12:10, Warron S French wrote:
> Does anyone know how to load the audit rules (as written in
> /etc/audit/audit.rules) without actually using the auditd daemon?
man auditctl
(-R)
Cheers,
peter
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mail
On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> Missing INTEGRITY_RULE
IMA with an 'audit' rule generates INTEGRITY_RULE messages.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
I asked this same question a couple of months ago.
https://www.redhat.com/archives/linux-audit/2013-October/msg00083.html
On Wed, Dec 25 2013 at 03:21, Aaron Lewis wrote:
> Hi,
>
> is it possible to completely disable audit log?
>
> I use a dispatcher to handle everything and doens't want anythi
What's the actual rule? On my system, syscall 88 is either symlink (64 bit) or
reboot (32 bit).
On Sat, Dec 21 2013 at 04:48, Stefano Schiavi wrote:
> Hello,
>
> Could anyone help with this? I really don't know where else to ask.
>
> Thank you very much.
> Stefano
>
>
> On 12/15/13, 12:19 AM, St
3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
[ Peter Moody | Security Engineer | Google ]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Is there anyway to run auditd without any local logging? I'm trying to
see if I can get auditd to completely avoid logging locally, using only
a custom dispatcher to log events remotely but auditd refuses to start
if I set log_file = '/dev/null'.
Cheers,
peter
--
Linux-audit mailing list
Linux-a
On Wed, Jul 03 2013 at 19:48, Richard Guy Briggs wrote:
> On Thu, Aug 23, 2012 at 12:24:00PM -0700, Peter Moody wrote:
>> This adds the ability audit the actions of a not-yet-running process,
>> as well as the children of a not-yet-running process.
>
> Hi Peter,
>
&
Isn't that just the return code of the syscall in question? Meaning, you'd
need to look up the syscall in the relevant include file to see what -17
meant. Maybe auparse already does this, I'm not sure.
On May 1, 2013 12:10 PM, "Vaughn, Chad M" wrote:
> All,
>
> Is there a listing somewhere that e
a bit...
Cheers,
peter
> - Original Message -
>> This adds the ability audit the actions of a not-yet-running process,
>> as well as the children of a not-yet-running process.
>>
>> Signed-off-by: Peter Moody
>> ---
>
Whoops, ignore this. I had misread your rules.
On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody wrote:
> Also, from the auditctl manpage:
>
> The following describes the valid actions for the rule:
>
> never No audit records will be generated. This can be used to
> suppres
triggers on the first matching rule.
On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody wrote:
> auditctl -a exit,always -S execve -F success=1
>
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particu
though
>> they are noticeably more difficult to interpret.
>>Mirek
>
>
>
>
> --
>
>
> Thanks & Regards,
>
> - Koresh
>
>
>
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
What rules are currently installed and what logs are you seeing?
On Oct 17, 2012 5:59 AM, "Koresh..." wrote:
>
> Hi Team,
>
> I have enabled the audit logs recently ... Currently the auditd daemon is
> logging all the event and syscalls done based on default rule set ...
>
> But currently it only
hem together, beyond "pid". Or
> better yet, is there some flag in the first two entries that I might
> be missing that shows that they're 'children' of the third entry.
>
> I'm not crazy about the idea of building some of state into my parsing
> (i.e. I se
On Mon, Oct 8, 2012 at 8:22 AM, Peter Moody wrote:
> On Mon, Oct 8, 2012 at 5:23 AM, Jeff Layton wrote:
>> On Fri, 5 Oct 2012 12:41:46 -0700
>> Peter Moody wrote:
>>
>>> On Fri, Oct 5, 2012 at 10:04 AM, Peter Moody wrote:
>>> > On Fri,
On Mon, Oct 8, 2012 at 5:23 AM, Jeff Layton wrote:
> On Fri, 5 Oct 2012 12:41:46 -0700
> Peter Moody wrote:
>
>> On Fri, Oct 5, 2012 at 10:04 AM, Peter Moody wrote:
>> > On Fri, Oct 5, 2012 at 9:15 AM, Jeff Layton wrote:
>> >
>> >>>
>> &
On Fri, Oct 5, 2012 at 1:23 PM, Eric Sandeen wrote:
> On 10/5/12 10:57 AM, Peter Moody wrote:
>> On Fri, Oct 5, 2012 at 8:18 AM, Peter Moody wrote:
>>> On Fri, Oct 5, 2012 at 8:16 AM, Peter Moody wrote:
>>>> On Fri, Oct 5, 2012 at 7:26 AM, Jeff Layton wrote:
>
On Fri, Oct 5, 2012 at 10:04 AM, Peter Moody wrote:
> On Fri, Oct 5, 2012 at 9:15 AM, Jeff Layton wrote:
>
>>>
>>> [ cut here ]
>>> kernel BUG at fs/buffer.c:1220!
>>> invalid opcode: [#1] SMP
>>> CPU 0
>>&g
http://lists.xen.org/archives/html/xen-devel/2012-08/msg01127.html)
xen could definitely be doing something wonky with irqs though.
> Might be interesting to add a
> check for irqs being disabled early in __audit_syscall_exit and see
> whether its doing that universally in its syscall exit routine?
I'll try this, thanks.
> --
> Jeff Layton
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Oct 5, 2012 at 8:18 AM, Peter Moody wrote:
> On Fri, Oct 5, 2012 at 8:16 AM, Peter Moody wrote:
>> On Fri, Oct 5, 2012 at 7:26 AM, Jeff Layton wrote:
>>> On Fri, 5 Oct 2012 06:57:59 -0700
>>> Peter Moody wrote:
>>>
>>>> On Fri, Oct 5, 20
On Fri, Oct 5, 2012 at 8:16 AM, Peter Moody wrote:
> On Fri, Oct 5, 2012 at 7:26 AM, Jeff Layton wrote:
>> On Fri, 5 Oct 2012 06:57:59 -0700
>> Peter Moody wrote:
>>
>>> On Fri, Oct 5, 2012 at 5:55 AM, Jeff Layton wrote:
>>> > On Thu, 4 Oct 20
On Fri, Oct 5, 2012 at 7:26 AM, Jeff Layton wrote:
> On Fri, 5 Oct 2012 06:57:59 -0700
> Peter Moody wrote:
>
>> On Fri, Oct 5, 2012 at 5:55 AM, Jeff Layton wrote:
>> > On Thu, 4 Oct 2012 11:48:23 -0700
>> > Peter Moody wrote:
>> >
>> >>
On Fri, Oct 5, 2012 at 5:55 AM, Jeff Layton wrote:
> On Thu, 4 Oct 2012 11:48:23 -0700
> Peter Moody wrote:
>
>> On Wed, Sep 26, 2012 at 6:50 AM, Alexander Viro wrote:
>> > On Tue, Sep 25, 2012 at 10:03:23AM -0700, Peter Moody wrote:
>> >> Hey folks,
>>
On Wed, Sep 26, 2012 at 6:50 AM, Alexander Viro wrote:
> On Tue, Sep 25, 2012 at 10:03:23AM -0700, Peter Moody wrote:
>> Hey folks,
>>
>> following up on old patches, are there any comments on this? Did you
>> get around to finding a better way to fix this bug, Al
On Wed, Sep 26, 2012 at 6:50 AM, Alexander Viro wrote:
> On Tue, Sep 25, 2012 at 10:03:23AM -0700, Peter Moody wrote:
>> Hey folks,
>>
>> following up on old patches, are there any comments on this? Did you
>> get around to finding a better way to fix this bug, Al
Hey folks,
following up on old patches, are there any comments on this? Did you
get around to finding a better way to fix this bug, Al?
Cheers,
peter
On Mon, Aug 20, 2012 at 10:19 AM, Peter Moody wrote:
> Hi Al,
>
> Any word on a less unpleasant fix? Also, do you know if/how I could
On Fri, Sep 21, 2012 at 8:05 AM, Diaz, DavidA (Plymouth)
wrote:
> Hi:
>
>
>
> I am wondering how to use auditd and specifically ausearch, to pull out USB
> thumbdrive event insertions and removals on my Redhat Enterprise Linux 6
> Server?
>
>
>
> I can see very easily in the /var/log/messages file
t;> caveat emptor sort of thing.
>>
>> I'll modify that patch and resend it, but it doesn't help the current
>> situation.
>
> I was thinking something like
> -a exit,never -S open -F exe=/bin/bash
Oh, that works too.
Do you think it's worth me fixing up th
> But looking at the event, I'm not sure about the usefulness of logging
> successful opens in the pam config directory. You might be able to better tune
> your rules. Opening for write or opens that fail might be more interesting.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Hey Eric,
did you have any comments on this? Is there a better way to do this?
Cheers,
peter
On Thu, Aug 23, 2012 at 12:24 PM, Peter Moody wrote:
> This adds the ability audit the actions of a not-yet-running process,
> as well as the children of a not-yet-running process.
>
> S
27;-a exit,always -S open'.
Cheers,
peter
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
descendant processes, opening a non local
socket.
proposed https://www.redhat.com/archives/linux-audit/2012-June/msg2.html
and it seemed like there was interest.
Signed-off-by: Peter Moody
---
trunk/lib/errormsg.h |2 +-
trunk/lib/fieldtab.h |2 ++
trunk/lib/libaudit.c | 11 +++
This adds the ability audit the actions of a not-yet-running process,
as well as the children of a not-yet-running process.
Signed-off-by: Peter Moody
---
include/linux/audit.h |2 ++
kernel/auditfilter.c |6 ++
kernel/auditsc.c | 47
at 6:41 PM, Peter Moody wrote:
> On Wed, Aug 15, 2012 at 6:26 PM, Alexander Viro wrote:
>> On Wed, Aug 15, 2012 at 06:13:33PM -0700, Peter Moody wrote:
>>> On certain systems, in certain pathalogical cases, current's cwd can
>>> be deleted while we're still pr
On Wed, Aug 15, 2012 at 6:26 PM, Alexander Viro wrote:
> On Wed, Aug 15, 2012 at 06:13:33PM -0700, Peter Moody wrote:
>> On certain systems, in certain pathalogical cases, current's cwd can
>> be deleted while we're still processing a syscall. This should prevent
>&g
ves/linux-audit/2012-August/msg00017.html
Signed-off-by: Peter Moody
---
kernel/auditsc.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415..e86b8b9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2064,6
the
time.
Any one have any idea what's going on?
Cheers,
peter
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
/*
* steps:
* 1) compile with gcc -m32
* 2) start auditd, install any rule (I've only tested syscall auditing, but any syscall seems to wo
On Thu, Jul 26, 2012 at 5:34 AM, Jeff Layton wrote:
> On Wed, 18 Jul 2012 14:30:41 -0700
> Peter Moody wrote:
>
>> Additionally it looks like audit_free_names might return too early when
>> AUDIT_DEBUG was set to 2.
>>
>> Signed-off-by: Peter Moody
&
Were there any comments on this?
On Wed, Jul 18, 2012 at 2:30 PM, Peter Moody wrote:
> Additionally it looks like audit_free_names might return too early when
> AUDIT_DEBUG was set to 2.
>
> Signed-off-by: Peter Moody
> ---
> kernel/auditsc.c |8
> 1 files
ppening?
>
> Thanks - Michael Mather
> ---
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Additionally it looks like audit_free_names might return too early when
AUDIT_DEBUG was set to 2.
Signed-off-by: Peter Moody
---
kernel/auditsc.c |8
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415..0c1db46 100644
[32581.836146] RSP
[32581.836157] ---[ end trace 0658a2308b35c81e ]---
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
] ; do /etc/init.d/audtid start && sleep 5 &&
/etc/init.d/auditd stop ; done usually triggered it within a few
minutes
> Such as:
>
> -w /etc/sudoers -p rwxa -k sro
>
> -Original Message-
> From: Peter Moody [mailto:pmo...@google.com]
> Sent: Friday, July 13
=4294967295
> -F dir=/var -k sro
>
>
>
>
>
> --
>
> Regards,
>
> Chad Vaughn
>
> chad.m.vau...@lmco.com
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
cdrom
> mount: only root can do that
>
> but /var/log/audit/audit.log does not capture this event
>
> Any input is much appreciated!
>
> Thanks in advance
>
> Betty
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
e who
weren't interested. But yes, my tests showed that this audit rule
worked even when /home/ was an nfs automounted directory.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redh
On Fri, Jun 8, 2012 at 6:51 AM, Steve Grubb wrote:
> On Friday, June 08, 2012 09:35:01 AM Steve Grubb wrote:
>> On Thursday, June 07, 2012 06:31:47 PM Peter Moody wrote:
>> > Is there anyway to audit syscalls made by a particular, not yet
>> > running, application
match_tree_refs kernel/auditsc.c:444
audit_tree_match kernel/audit_tree.c:198
Does that sound right?
On Tue, Jun 26, 2012 at 11:01 AM, Peter Moody wrote:
> How does auditd perform on a rule like the following, assuming that
> /home/ is an nfs mount?
>
> -a exit,always -F arch
/ is giant (several K entries),
does this run the risk of filling fsnotify (inotify?) watch lists?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ve put into making that easy (easier), is
still a non-starter for some people.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
l bind() calls which
*aren't* made by chrome (a silly rule to be sure, but just thrown out
as a hypothetical)
If it's not possible to do this now, is there interest in adding this feature?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
fsnotify_destroy_mark_by_entry(entry);
> + fsnotify_put_mark(entry);
>
> The difference being that inotify_evict_watch() took a reference on
> chunk->watch, however fsnotify_destroy_mark_by_entry() does not. So the
> fsnotify_put_mark() was incorrect.
>
> I'd lo
t;mnt_fsnotify_marks lists are protected by a spinlock on both the
read and the write side. This patch protects the read side of those lists
with a new single srcu.
Signed-off-by: Eric Paris
:04 04 4b5d9b446eefaca96f8a89b8e9c2ef18da88534e
1abcff76e285ae57f5855b60857ef1708e9
; + fsnotify_get_mark(mark);
> spin_lock(&destroy_lock);
> list_add(&mark->destroy_list, &destroy_list);
> spin_unlock(&destroy_lock);
> --
> 1.7.9.4
>
>
> On Tue, 17 Apr 2012 14:54:29 -0700
> Peter Moody wrote:
>
>> Last thing. moving sy
e, Apr 17, 2012 at 11:24 AM, Peter Moody wrote:
> and my config.gz
>
> On Tue, Apr 17, 2012 at 10:56 AM, Peter Moody wrote:
>> Here's a trace with debugging turned way up plus a few extra printk's
>> added to fs/notify/mark.c. I'm looping through private
#1 SMP Tue Apr 17 09:59:44 PDT 2012
x86_64 GNU/Linux
Cheers,
peter
On Thu, Apr 5, 2012 at 2:07 PM, Eric Paris wrote:
> please please please keep on list. Everything you say might help track
> it down!
>
> On Thu, 2012-04-05 at 14:03 -0700, Peter Moody wrote:
>> (please let
(please let me know if I should take this off-list)
One other thing (again, maybe already known), but this seems to be
exacerbated by SMP. On my machine, I can't reproduce the crash if I
booth with maxcpus=1.
Still hunting.
Cheers,
peter
On Tue, Apr 3, 2012 at 9:15 AM, Peter Moody
ll keep you
>
> uptodate
>
> with the things i find out.
>
> V.
>
> On Mar 29, 2012 4:14 AM, "Eric Paris" wrote:
>>
>> That patch fixes a BUG() . The report has a NULL ptr deref and some
>> apparent list correuption Sadly they aren't the
fyi: this patch [1] seems to fix the issue for me. The explanation in
the subject would reliably oops my machine.
[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fed474857efbed79cd390d0aee224231ca718f63
On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote:
>
; The Gentoo bug i opened is sleeping, it seems nobody has the time to at
> least test to confirm or not the problems i'm seeing (or everybody's
> thinking that nobody would restart auditd so often, so the bug it's not that
> serious).
>
>
> Thank you for your time.
On Thu, Mar 22, 2012 at 5:55 AM, Steve Grubb wrote:
> On Wednesday, March 21, 2012 06:12:31 PM Peter Moody wrote:
>> lib/gen_tables.c is missing an include for linux/fs.h
>> src/ausearch-report.c is missing includes for linux/fs.h and limits.h
>>
>> refuses to build w/o
On Wed, Mar 21, 2012 at 2:36 PM, Steve Grubb wrote:
> On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
>> This is against the 2.2 release.
>
> Thanks. I will apply this with probably a small change or two.
>
>> I wasn't able to get HEAD to compile (issue
On Wed, Mar 21, 2012 at 1:12 PM, Steve Grubb wrote:
> On Wednesday, March 21, 2012 12:38:06 PM Peter Moody wrote:
>> On Tue, Mar 20, 2012 at 11:07 AM, Steve Grubb wrote:
>> > On Friday, March 16, 2012 05:50:56 PM Peter Moody wrote:
>> >> line 1162 in auditctl.c
This is against the 2.2 release. I wasn't able to get HEAD to compile
(issues with mounttab.h that didn't want to run down because this is
such a small patch).
Signed-off-by: Peter Moody
---
trunk/src/Makefile.am |2 +-
trunk/src/auditctl.c | 11 +--
2 files c
On Tue, Mar 20, 2012 at 11:07 AM, Steve Grubb wrote:
> On Friday, March 16, 2012 05:50:56 PM Peter Moody wrote:
>> line 1162 in auditctl.c has this:
>>
>> #ifndef DEBUG
>> /* Make sure we are root */
>> if (getuid() != 0) {
>> fprintf(stderr, &
r case, we have a setuid helper that allows
a normal user to run 'auditctl -l' (with a clean environment), and
this prevents the setuid helper from working.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-au
On Tue, Feb 28, 2012 at 3:07 PM, Steve Grubb wrote:
> On Wednesday, December 14, 2011 08:18:30 PM Peter Moody wrote:
>> > Testing has revealed a couple of bugs in this. Fixing these and
>> > testing some more now.
>>
>> Ok, this should be the last one. I w
t; Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t; This was enough to oops and crash the kernel in less than one hour on the
> servers where i did the tests. If any similar behavior happens, i'd be very
> interested to know the the kernel version and distro.
>
> Thank you for your time.
>
>
> --
> Linux-audit mai
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ts. Thus things which were passing it a
> task_struct and offset as the second pointer were walking the
> audit_names list dereferencing some random distance (distance of
> loginuid inside a task_struct) from the found name and using that memory
> location as a uid. Opps.
>
Whoops
On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb wrote:
> On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > > Closer. All permutations of uid and gid being able to compare against
> > > either object or process credentials. Like auid!=ouid or auid!=uid.
> >
send my patches along if it does.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
s were plain
wrong.
This one tests good to me though.
Signed-off-by: Peter Moody
---
trunk/auparse/typetab.h |2 +
trunk/lib/errormsg.h|7 +-
trunk/lib/fieldtab.h|3 +
trunk/lib/libaudit.c| 303 +++
trunk/lib/liba
On Tue, Dec 13, 2011 at 5:38 PM, Peter Moody wrote:
> Here's the updated version, now supporting all of the interfield
> comparisons from
> https://www.redhat.com/archives/linux-audit/2011-December/msg00018.html
>
> auditctl -l doesn't report the comparison filters co
Here's the updated version, now supporting all of the interfield
comparisons from
https://www.redhat.com/archives/linux-audit/2011-December/msg00018.html
auditctl -l doesn't report the comparison filters correctly. I'll look
more into this.
Signed-off-by: Peter Moody
---
This still requires the same patches from Eric that I mentioned in my
first email
Cheers,
peter
Signed-off-by: Peter Moody
---
include/linux/audit.h | 37 ++--
kernel/auditsc.c | 114 ++---
2 files changed, 140 insertions(+), 11 dele
On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb wrote:
> On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> > Not sure if this is the right way to go about this, but I've got a couple
> > of patches I'd like to be considered for inclusion.
>
> I think
On Mon, Dec 12, 2011 at 6:40 AM, Steve Grubb wrote:
> On Sunday, December 11, 2011 02:09:27 PM Peter Moody wrote:
> > This patch extends Eric's test patch from 11/17 (
> > http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html).
> > This turns -C in
ore auditd internal knowledge can explain what's
going on.
auditctl -l doesn't know how to report this yet; if this patch is generally
acceptable, I can try to fix that and update the manpage, etc.
Signed-off-by: Peter Moody
---
trunk/auparse/typetab.h |1 +
trunk/lib/fieldt
inux-audit/2011-November/msg00036.html)
[19/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00037.html)
[20/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00038.html)
Signed-off-by: Peter Moody
---
include/linux/audit.h |4 +++-
kernel/audits
I've got a watch looking at /dev/mem
auditctl -w /dev/mem -k kernel -p wa
which I understand means that auditd is looking for writes or attribute
changes to /dev/mem (according to the manpage for auditctl)
The weird thing is that auditd seems to be flagging calls to fstat, and I'm
not sure why
Excellent, thank you!
Cheers,
peter
On Thu, Nov 17, 2011 at 2:23 PM, Eric Paris wrote:
> This is NOT full support for the new inode filter constructs I added to
> the policy, but is just enough to test some of it. I'm hoping someone
> else will write real userspace patches. One will need to a
On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris wrote:
> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> > Apologies if this is the wrong list:
> >
> >
> > Is it possible to filter on what shows up in the audit logs as the
> > ouid of an inode being accessed?
On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris wrote:
> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> > Apologies if this is the wrong list:
> >
> >
> > Is it possible to filter on what shows up in the audit logs as the
> > ouid of an inode being accessed?
Apologies if this is the wrong list:
Is it possible to filter on what shows up in the audit logs as the ouid of
an inode being accessed?
Alternatively, if I'm only interested in inodes of a particular ouid (or
more specifically, accesses to an inode of a particular ouid from a process
with a diff
91 matches
Mail list logo